The package is published manually to npm by the operator (the #472 gate). Run
the preflight first — it is read-only, never publishes, and never needs
npm login.
npm run preflightscripts/preflight.mjs reports and checks four things, exiting non-zero on any
blocking issue:
- Expected toolchain —
engines.node(20.x),engines.npm(10.x) andpackageManager(npm@10.9.8) vs. the running Node/npm. A mismatch is a warning: publish on Node 20.x / npm 10.x. - Production audit — an
npm audit --omit=devsummary. High/critical findings are warnings to review — the preflight never runsnpm audit fix(and never--force). - Packed contents —
npm pack --dry-runwith suspicious-file detection. Fails if any generated/local artifact slips into the package: bundlednode_modules,*.test.*/*.spec.*files, stray*.tgztarballs, build caches (.next/cache,.turbo,.vite,.cache), or obvious secret files (.env*,*.pem,*.key). - Tarball smoke test — packs into a temp dir, installs the tarball into a
throwaway project (
--ignore-scripts), and verifies the bin + runtime entrypoints land and the bin passesnode --check.
The published tarball is governed by the files allowlist in
package.json. Because a files allowlist overrides a root .npmignore, the
artifact exclusions live as negation patterns inside files (e.g.
"!**/*.test.ts", "!**/node_modules/**"). The preflight's suspicious-file
rules (scripts/package-hygiene.mjs, unit-tested) mirror those exclusions —
keep the two in sync. Adding a new *.test.ts anywhere is automatically
excluded by the glob, so no per-file maintenance is needed.
Run on Node 20.x / npm 10.x:
npm install
npm audit --omit=dev
npm run typecheck
npm test
npm run app:build
npm run preflightThen the operator performs the manual npm publish (or npm run release:*).